CYBERSECURITY: GET SERIOUS, OR IT’S GAME OVERplaybook.vgm.com/.../document-library/fe620fedaf4a1f77640a97d56… · Cybersecurity: Get Serious, or It’s Game Over By Jeremy Kauten,

BY JEREMY KAUTENCHIEF INFORMATION OFFICER AND SENIOR VICE PRESIDENT OF IT, VGM GROUP, INC.

CYBERSECURITY: GET SERIOUS, OR IT’S GAME OVER

Cybersecurity: Get Serious, or It’s Game Over 2

A Letter From the Author

Jeremy Kauten

It all started with a tearful phone call from one of our members. Given their emotional state, I expected them to tell me the usual story – that they’d been hacked, their business was at a standstill, and that they didn’t know where else to turn but VGM. Instead, they told me that one of their biggest referral sources had called to inform them that they were conducting a security and business continuity audit of their business partners. They would not be making any more referrals to the member until they completed a 250-item questionnaire that touched on everything from their cybersecurity measures to their ability to survive a natural disaster.

They struggled to answer or even understand the imposing list of questions, they didn’t have any of the extra documentation that was being demanded along with their responses, and without referrals from this particular source, they couldn’t afford to keep their lights on. From their perspective, it was game over. We were able to coach them through their audit and keep their referrals flowing, but the scope and source of the incident made something very clear to me, and it needs to be shared throughout our membership and our industry immediately – it’s time to start getting serious about information security. Anyone who doesn’t is going out of business.

The internet has created a business environment with seemingly limitless potential. Unfortunately, while the digital landscape flows with milk and honey, it also has plenty of hungry predators lying in the weeds. If you’ve been operating your business under the assumption that hackers and cybercriminals aren’t interested in it, then it’s time to think again. You might be surprised to learn that the medical records and patient data you handle every day are the most valuable commodities that there are on the digital black market, and that your business partners will soon be auditing you right alongside the government in an effort to protect themselves against the possibility of those records being compromised when they share them with you.

They have every reason to worry.

Health care led all industries in cybersecurity breaches in 2018 – just as we did the previous year and the

one before that. The Department of Health and Human Services received reports of more than 350 major health care data breaches last year, which exposed the protected health information (PHI) of more than 13 million people to hackers. Thirty-one breaches were reported this past March alone, with just under a million people affected. That statistic is up over 150 percent from the same time last year and shows no signs of slowing down.

Despite the overwhelming evidence to the contrary, the vast majority of business owners believe that their company is safe from hackers, viruses, malware, and data breaches. Many of them don’t have any security measures in place at all, which isn’t just irresponsible when it comes to our industry – it’s illegal. If you’re among the alarming number of providers who are still hoping that their small size, relative obscurity, or sheer dumb luck will save them from a hack or an audit, then this playbook was written for you. VGM is in business to keep your practice in business, and after repelling millions of cyberattacks on our own systems while facing audits from some of the largest insurance companies and health care referrers in the country, we’ve become experts in security and compliance.

Read on to discover the risks already facing your business and how you can protect it for years to come without disrupting everything you’re doing or breaking the bank. The digital landscape can be dangerous, but you don’t have to walk it alone.

Kindest Regards,

Jeremy Kauten, Chief Information Officer and Senior Vice President of IT, VGM Group, [email protected]

Cybersecurity: Get Serious, or It’s Game Over

By Jeremy Kauten, CIO and SVP of IT, VGM Group, Inc.


WHO ARE HACKERS?

Hollywood hasn’t done the American public a whole lot of favors when it comes to helping them understand what a hacker is. When they hear the word “hacker,” most people probably picture an eccentric, socially maladjusted basement-dweller with a closet full of black hooded sweatshirts who lives life off the grid surrounded by computer screens and soda cans. We tend to use the terms “hacker” and “cybercriminal” interchangeably, but the reality is that anyone with a degree in computer science has the skills necessary to hack. Hacking is nothing more than knowing how to identify weaknesses in computer systems or networks and use those weaknesses to gain access to them.

Not all hacking is illegal. In fact, many companies and government agencies employ hackers to help them secure their systems and their products by having them look for security vulnerabilities so that they can fix them. Unfortunately, the same skillset that lets someone secure a system or a software product can also be used to break into one. And, there are some enormous financial rewards to be had if you can get the right kind of information from the right computer network.

WHY PHI?

Why are hackers so interested in PHI these days? Simple. The black market values information based on the difficulty, risk, and potential profitability of exploiting it. Identity theft and credit card fraud continue to be popular forms of cybercrime, but increasingly stringent security measures implemented by banks and government agencies and the rise of services like LifeLock have made both pretty easy to detect, and they generally work only once before someone notices and takes steps to lock things down. This has led to a drastic reduction in black market value for things like Social Security numbers and credit card information.

Medical records, on the other hand, can allow someone to submit fraudulent claims to Medicare, Medicaid, or a private insurance carrier for years before anyone gets suspicious. These false claims are one of the primary drivers behind the rising cost of health care in our country, along with the constant audits and rule changes that providers have to deal with every year as CMS fights a losing battle to recover their stolen funds and prevent additional fraud in the future. Cybercriminals are stealing tens of billions of dollars annually from the Medicare system. Add in what they’re taking from other programs, both public and private, and the numbers are truly staggering.

That’s not all. As the health care system becomes increasingly reliant on technology to deliver better and more efficient care to its patients, hackers have come to realize that they don’t even need to sell PHI in order to make a quick profit from it. A new and increasingly popular strategy is to simply lock down the files of health care providers and the computer systems that store them and demand a hefty ransom payment to unlock them again. With lives literally hanging in the balance, many providers have had no choice but to give the hackers what they want so that they can get back up and running as quickly as possible.

Cybersecurity: Get Serious, or It’s Game Over 4Cybersecurity: Get Serious, or It’s Game Over 4

ORGANIZED CYBERCRIME

[ ]With so much easy money at stake, hackers are starting to organize.

It gets worse. With so much easy money at stake, hackers are starting to organize. The FBI suspects that a number of technology companies are probably fronts for hacking collectives working in shifts around the clock to steal information so that they can sell it to the highest bidder or use it for their own gain. If that weren’t bad enough, foreign governments are in on the action as well. Russia, China, North Korea, and Iran are just four countries we know of that have massive, state-funded hacking programs involved in everything from attempting to steal technology and trade secrets from American companies to transferring billions of dollars in wealth from our government to theirs by defrauding our health care system and filing false tax returns.

The NSA and the FBI are scrambling to respond to these state-sponsored hacking firms by deploying counter-hacking efforts to protect government computer systems and sponsoring education programs to encourage American business owners to take proper security measures. They’re also working hard to arrest foreign cybercriminals or extradite them to the United States to face justice. So far, they’ve made little headway. On a recent episode of 60 Minutes, a national security official from the Obama administration told the story of a troubling trend within the Russian government. When the FBI began investigating infamous Russian hackers Evgeniy Bogachev and Alexsey Belan, they asked the Kremlin for help. The Putin administration tracked both men down, but refused to hand them over. Instead, they offered them jobs. Being wanted by the FBI is apparently one of the best things that hackers can have on their résumé right now.

SMALL DOESN’T MEAN SAFE

At this point, you may be thinking to yourself that your business or practice is too small or too obscure for any of this to matter to you. You aren’t alone. About 85 percent of American small business owners feel the same way. The problem with that attitude is that hackers aren’t particularly interested in the size of your business. What they’re looking for is an open door. When they scan an IP address range and find one attached to an unsecured network owned by “XYZ Medical,” they aren’t going to stop to ask how large or small your company is. They’re going to get to work taking whatever they can from it.

[ ]About 40 percent of cyberattacks are made against companies with

fewer than 500 employees.

The truth is about 40 percent of cyberattacks are made against companies with fewer than 500 employees. That number is quickly increasing as large businesses get serious about data security and take steps to protect themselves. This makes small businesses increasingly attractive targets as they continue to lag behind, and the effects are often devastating. The average cost of a data breach to a small business is in the hundreds of thousands of dollars, and about 60 percent of small businesses that fall victim to a cyberattack are forced to close their doors and declare bankruptcy immediately afterward.

THE AUDITS ARE COMING

Even if you never end up the victim of cybercrime yourself, the prevalence of it is changing the way that the medical industry does business. To understand why, we need to consider the case of a company outside of our industry. In 2013, Target paid around $65 million in an enormous multistate settlement after hackers broke into their network and made off with the credit card account information for more


Cybersecurity: Get Serious, or It’s Game Overcontinued


than 41 million customers. This was the largest data breach settlement ever reached at the time, and it set new industry standards for companies that store confidential customer information on their computer networks.

How did the hackers get into Target’s systems? They didn’t do it directly. Instead, they gained access through a third party that had access to Target’s computer system so that they could remotely control the heating and cooling systems in most, if not all, of their stores. Target had some decent online security in place at the time – but their HVAC company didn’t have any and was connected to their computer network 24/7 to monitor store temperatures. That connection provided an open door that allowed data thieves to take whatever they wanted from Target’s network with no resistance whatsoever.

THIS BREACH TAUGHT A BRUTAL LESSON TO COMPANIES EVERYWHERE – DON’T DO BUSINESS WITH PEOPLE WHO DON’T TAKE CYBERSECURITY AS SERIOUSLY AS YOU DO.

Fast forward to 2018, where medical records have become more valuable than credit card numbers, HIPAA fines drive the stakes even higher in the event of a breach, and major payers and providers like United Healthcare, Aetna, and Cigna have shelled out millions of dollars after falling victim to cyberattacks of their own. The major players in the health care industry are taking drastic measures to protect themselves,

and that means cutting ties with business partners who refuse to get serious about security issues. Don’t expect anyone to make exceptions based on your long history of good will and mutual profitability. It’s highly unlikely that the business you’re doing with any of the insurance providers or referral sources you work with could possibly be worth taking such a gamble…even if it weren’t illegal for them to do so.

It’s not just a matter of risk. HIPAA requires that covered entities obtain “satisfactory assurances” in writing from their business associates that they will appropriately safeguard patient information and help them meet their requirements under HIPAA’s Security Rule. Several of the nation’s largest covered entities have begun seeking those written assurances in the form of massive security and compliance questionnaires that scrutinize everything from your company’s general approach to information security to its established policies and procedures for preventing a data breach or dealing with one after it happens. Some of these questionnaires are hundreds of questions long, and many demand additional documentation as well, like the results of your company’s latest network penetration test.

We’re seeing more and more of our members come to us in a panic because they’ve been approached by one or more of their biggest or most reliable payers or referral sources with lists of questions that they have no idea how to answer and demands for documentation that they don’t have. These requests are delivered with the ultimatum that their business will be shut out of any future business dealings if they can’t provide documentation of adequate system security within a specified (and often very short) timeframe. With CMS, the Office for Civil Rights (OCR), and the Department of Justice cracking down harder and harder on covered entities, it won’t be long before audits like this become standard operating procedure. In fact, you can eventually expect to be audited each and every time you approach a new source of referrals before they’ll even consider doing business with you. It may take time for us to reach that point, but it will happen.




[ ]No provider is too small or too niche not to have to worry about security

and compliance anymore.

What that means for the industry is this – no provider is too small or too niche not to have to worry about security and compliance anymore. Taking proper cybersecurity measures is part of the cost of doing business in the DMEPOS space now, and those who continue to ignore the issue in an effort to protect their bottom line stand to lose their entire business in a misguided attempt to save a few thousand dollars. We’re hoping that you’ll agree with us that betting your company’s entire future against the increasingly small chance that you can continue to fly under the radar isn’t the best business decision that you could make.

WHERE DO I START?

It’s no secret that the DMEPOS industry is one of the most challenging spaces in the entire field of health care. You’re already grappling with government audits, reduced reimbursement, shrinking margins, and a laundry list of rules and regulations that seem to change by the day. With all that’s been going on, I can’t blame you for being a bit discouraged by the news that the government isn’t the only one with its eye on you anymore. With your payers and referral sources gearing up to audit you and an increasing number of hackers hoping to use your business as a backdoor to get to them, I’ve given you a lot to be concerned about.

Fortunately, there is hope. A lot of the members we’ve spoken with usually assume that implementing the security measures their business partners are looking for is going to take way more expertise and money than they’ve got available to them. A lot of them even ask why they should bother making the investment at all when bigger companies seem to be getting hacked left and right. If corporate titans like Target, Anthem, and Aetna can get hacked, what chance does their small, family-owned company have?

The National Intelligence & Security Center has a great name for its cybersecurity education program – Know the Risks, Raise Your Shield. The shield analogy does a good job of answering that question. The reason that the health care sector is under such heavy attack from cybercriminals right now is that we have a lot of extremely valuable information that we haven’t done a very good job of protecting. It was the same way in the financial sector back when credit card fraud was such a huge problem. Financial institutions got hacked one after another until the industry got smart, regulated itself, and created new industry standards to solve the problem.

Like a Roman testudo, they all raised their shields together until it became riskier, more difficult, and less profitable for hackers to penetrate their systems. Unfortunately, that sent the bad guys looking for a softer target. That new target happens to be us, but it doesn’t have to be. With a basic understanding of how hackers do what they do and what kind of options exist for dealing with their attacks, you can be on the road to protecting yourself and passing your audits in no time. Protecting yourself means protecting the industry and preserving it for the millions of people who rely on it for the care that they need.

CYBERATTACKS EXPLAINED

One of the reasons many business owners don’t take action when it comes to security is a lack of understanding of what they’re up against. Just what are these “cyberattacks” everyone is talking about lately? In simple terms, a cyberattack is an attempt made by an individual or group of individuals to disrupt, destroy, or gain unauthorized access to a computer or a network without the consent of the owner. Most cybercriminals hack for personal or financial gain, though some simply enjoy the challenge or the sense of power that comes with being able to turn the technology people rely on so completely against them.



Cyberattacks usually come in one of the following forms:

Malware: Short for malicious software. Spyware, ransomware, and viruses all fall into this broad category. Malware needs to be installed on your computer just like any other piece of software. This usually happens when a user opens a suspicious email attachment, clicks on a link in an email or social media message, or visits a dangerous website. The software is usually installed without the user’s knowledge, and once it’s up and running, it can do any number of unpleasant things, such as:

• Block access to key programs or files.

• Disrupt your computer until it becomes unusable.

• Secretly obtain information and send it to the hacker.

• Install copies of the malware on other computers connected to the network.

• Allow the hacker to see or even directly control everything that happens on a given system.

[ ]One in 10 ransomware victims don’t receive a decryption key even after

they give the hacker what they want.

The most common and dangerous malware threat to emerge recently is ransomware, which locks down or encrypts important information and makes it inaccessible unless the user pays a certain amount of money to the hacker. Victims usually have few options aside from paying the ransom and hoping that the hacker returns their data to them, which doesn’t always happen. One in 10 ransomware victims don’t receive a decryption key even after they give the hacker what they want. It may seem strange to you that most cybercriminals do, in fact, return the files that they’ve taken after being paid off. Don’t be fooled into thinking that there’s honor among thieves, however. They do it to encourage future ransomware victims

to pay up. No one would ever pay if they thought that they weren’t likely to get their files back after doing so.

Phishing: The hacker tries to craft and send an email that fools the recipient into taking some kind of harmful action, usually clicking a dangerous link or opening an attachment. The email is often made to look like it’s coming from someone the victim knows and trusts, such as their boss or one of their business associates. Taking the action requested by the email results in malware being installed or directs the victim to a false website that looks just like the real one where they’re asked for sensitive information like usernames or passwords. Most of these emails are poorly written and sent out to thousands of people at once, but some are carefully crafted to look just like something your boss or a friend would send you.

Eavesdropping Attacks: This is where a hacker inserts themselves into a transmission from one party to another, like someone picking up another receiver on the same telephone line while you’re talking to a friend. Hackers usually use WiFi routers for this. A lot of people just plug wireless routers right into their networks without changing the default password on them, which makes it pretty easy for someone to log into the device and watch all of the data going in and out of it.

Hackers can also set up fake access points in public places like restaurants or airports. Using the internet through their conveniently located hotspot allows them to see absolutely everything that you do while you’re online. Have you ever been at your favorite coffee shop and wondered why there are five different wireless networks that all say that they’re the guest network for the place? This is probably the reason.

Zero Day Exploit: This is when a hacker uses a vulnerability that they’ve found in a computer program that hasn’t been discovered or fixed by the creators of the software yet. Vulnerabilities like this are the reason that Microsoft and other companies are always releasing updates for their software. Those updates are plugging the holes that hackers can use to get into your system and cause problems. That’s why fixes like this are often called a “patch.”





It’s called a “zero day” exploit because once the problem has been identified, every day that goes by increases the likelihood that someone will fix it. Hackers have to act fast before the vulnerability can be patched if they want to take advantage of it. If you’re not downloading and installing regular updates from Microsoft, Apple, or your other software providers, then these holes remain open and available for hackers to slip through.

HOW CAN I PROTECT MYSELF?

Taking on the challenge of keeping your business safe from cyberthreats may seem scary at first. The whole topic of cybercrime usually sounds complicated and mysterious, and many tech experts can muddy the waters even further by throwing around a lot of high-flying technical language while they try to explain things to you. If you’ve been avoiding the issues of security and compliance because they seem too big, complex, or costly to deal with, then it may be time to rethink your approach. Not only are they easier and cheaper than they once were, but VGM offers access to the same expert advice, quality service, solid vendor relationships, and membership discounts that you’ve come to expect from us in every other aspect of your business.

You don’t have to immediately take all of the steps that I’m about to recommend, but each of these things will go a long way toward keeping you safe from the bad guys while helping you pass an audit from the government or your business partners with a minimum of fuss. If you have any questions about any of these options, don’t hesitate to reach out to your Membership Account Manager here at VGM. Their job is to connect you to the right person within our organization to meet your needs, and they’re extremely good at it.

GET INSURED

The first thing I always recommend to anyone when it comes to tackling cybersecurity is to buy insurance as soon as possible. There are some great offerings out there from a number of providers that are scaled based on the size of your company and the amount

of protected information you deal with. It’s possible that your business insurance provider has a cyber policy that they can add to your existing coverage, and bundling in this way can occasionally save you some money on premiums.

Most carriers have some basic security measures they’ll expect you to have in place before they’ll assume the risk of covering you, but they will be up front with you about these things and generally offer solid advice and assistance with meeting their requirements. Once you have a policy in place, you’ll probably find that they’ll give you access to some great information and resources that will help your business stay secure at no additional cost. This may seem too good to be true, but you have to keep in mind that it’s far more cost-effective for them to help keep you safe than it is for them to pay a claim.

The expenses associated with a successful cyberattack can be hundreds of thousands or even millions of dollars. Trust me when I tell you that you don’t want to be in a position where you need to pay for those costs out of pocket. In this industry, you probably can’t. I’ve already had a number of members tell me that not taking my advice to get some insurance was the worst business decision they ever made. Make sure that you learn from their example.

When setting up a cybersecurity policy, you’ll want to make sure that it includes:

• Notification Costs: This is the cost of notifying your patients that their information has been compromised after a breach and buying them identity theft protection as required by law. You can expect this to cost around $400-600 per record, and that adds up quickly. This is one of the first and most important things that you’ll want to be included in your policy, and you will want to be absolutely sure that it covers the number of records that you have multiplied by that $400-600 figure at minimum.




• Cyber Extortion: As distasteful as it is to think about paying money to a hacker after they’ve made a victim out of you and your business, you might not be left with much choice in the event of a ransomware attack. Your policy should cover any ransom payments that you end up having to make to recover your data.

• HIPAA Fines and Assessments: After you’ve reported a cybersecurity incident, OCR will conduct an investigation into how it occurred. Should they find that you somehow failed to meet your responsibilities under HIPAA, you’ll be assessed a substantial fine based on the damages and the degree of negligence that they determine was involved.

• Business Interruption: It can take a lot of time to get back up and running in the aftermath of a cyberattack, and every day that you aren’t seeing patients means lost revenue for your business. You’ll want to make sure that your policy includes some kind of provision for this lost income.

• Cybercrime Coverage: If a hacker gains access to your email account, there are all kinds of nasty things that they can do with it by sending messages to your employees and your customers in your name. In some cases, a judge might rule that you’re liable for the damages caused to anyone that gets defrauded by a hacker posing as you or one of your associates. You also want to be covered against instances where an employee might make a transfer of funds thinking that it’s you asking them to do it. Be sure that your policy is written with this in mind.

[ ]Call your insurance carrier about this today. Right now.

Don’t make the mistake of assuming you’re covered under somebody else’s policy, like a software provider or one of your referrers. It’s entirely possible that they will have cyber insurance coverage, but their policies will cover only them for hacks against their networks. If your company gets hacked, you’re probably on your own. That’s why it’s so critical that you’ve got a policy in place that makes sense for you and your business. Call your insurance carrier about this today. Right now. If the worst ever happens, this is probably the one and only thing that will save your business from bankruptcy.

EDUCATE YOUR EMPLOYEES

[ ]Hackers don’t just manipulate computer systems.

They manipulate people.

The old adage that an ounce of prevention is worth a pound of cure has never been more true than in the realm of cybersecurity. Hackers don’t just manipulate computer systems. They manipulate people. The vast majority of cyberattacks require someone within your organization to do something that allows the hacker to gain access, and cybercriminals have become extremely good at fooling people into helping them get what they want. All it takes is one wrong mouse-click by one of your employees to turn your company into a statistic, so teaching your staff to recognize the techniques that hackers use to trick people into letting them into a network is one of the best and cheapest things that you can do to stay secure.




There are plenty of decent information security courses available today. At VGM, we actually require all of our employee owners to take cybersecurity training through VGM Secure, a product offering from VGM Education that is powered by Ninjio. Whatever solution you decide to use, make sure that it isn’t just “one and done.” The world of cybersecurity is constantly evolving, and new threats emerge all of the time. You want to be sure that your people are always aware of and on the lookout for the latest dangers. You’ll also want to be sure that your training program provides tracking and reporting features that allow you to verify that all of your employees are current and provide evidence to this effect to an auditor upon request.

You’ll also want to consider the amount of time required for your employees to get through the material. People usually learn better if you feed information to them in bite-sized chunks as opposed to making them sit through an all-day lecture. Considering this will also help you to minimize disruption and downtime as your employees work through their training.

Finally, make sure that there’s some kind of assessment element included in the training. It’s one thing for someone to just sit through a class or stare at a screen while watching a video, but it’s another thing entirely for them to have to prove that they got what they needed to out of their sessions. Even a short quiz can help aid retention, and it provides one more piece of evidence that everyone in your office is compliant.

PUT EFFECTIVE POLICIES IN PLACE

HIPAA’s Security Rule requires all covered entities and their business associates to establish administrative, physical, and technical safeguards for the PHI they store and transmit every day. That means establishing a set of clearly defined, written security policies for your employees to follow. When CMS, OCR, or one of your payers or referral sources asks to audit you, they’re going to be checking very carefully to make sure that you have solid information security policies

and procedures in place at your office that reflect industry best practices. Just as importantly, they’re going to ask to see proof that your employees are all in compliance.

When drafting security policies for your company, you’ll want to be sure you address the following:

• Regulatory Compliance: As mentioned in the previous section, you want to make sure that employees know their individual responsibilities and roles for helping your company meet its requirements under HIPAA.

• Information Security: All of your employees should have some basic knowledge and responsibility for keeping PHI secure. Employees with more access privileges should have additional procedures in place to keep them safe and accountable in their daily work.

• Business Continuity/Disaster Recovery: On average, 36 days pass between the initial attack on a health care provider’s systems and the detection of a breach. It usually takes another 10 days to lock everything down and restore systems to proper working order. How will you ensure that your patients can still receive the care that they need during that time, and who will be responsible for making sure that this happens?

• Service and Data Integration: If you allow third party vendors regular access to your network to supply your company with services, make sure you’re holding them accountable for data security on their end! Hackers can exploit their unsecured connection to your network, just like they did with Target through their HVAC company.

• Multitenancy: Many smaller businesses share their buildings or office space with other companies. You should have controls in place to separate and protect your data from theirs, especially if you share services like internet connections or telephone systems.




• Incident Response: Someone at your organization needs to know how to detect and report a data breach on your network.

• Physical Security: Not all data beaches take place over the internet. Make sure you have controls in place to limit unauthorized access to your computer hardware that stores PHI. Hackers have been known to walk right into office buildings and make off with computer equipment so that they can take it home and break into it at their leisure.

I’ve provided some sample audit questions at the end of this playbook you can use to see how you’re doing with regard to your policymaking. If you’re able to answer “yes” to most of the questions on the list, you’re probably in pretty good shape when it comes to security and compliance. If that isn’t the case, don’t worry! Your VGM membership gives you complimentary access to VGM Technologies, and we’ve passed audits from some of the biggest names in the industry. Whether you’re currently being audited or just want some help with getting some good policies established beforehand, we can provide expert consulting services at no charge to VGM members.

KNOW AND ADDRESS YOUR HIPAA RESPONSIBILITIES

Do you know your company’s classification under HIPAA? Can you say, beyond a shadow of a doubt, that you’re in compliance with all of your responsibilities under HIPAA? Most people in our industry are at least vaguely familiar with HIPAA’s Privacy Rule, but many are often shocked to learn that HIPAA also includes a Security Rule that spells out the responsibilities of covered entities and their business associates with regard to protecting PHI. The requirements it sets forth are much more detailed and complicated than keeping your patient records under lock and key.

Do you regularly conduct assessments of the potential risks to the confidentiality, integrity, and availability of your patient records? Can you produce the results of your last assessment on demand? Do you have a set of policies and procedures in place that address the risks and vulnerabilities that you discovered and

properly discipline employees who don’t comply with them? Can you provide your policies in writing along with evidence that your employees are familiar with them and regularly following them? Do you have a staff member who is officially designated as being responsible for data security? Do you limit access to PHI based on a staff member’s role and responsibilities? Do you have a system in place to readily identify who accesses your PHI and when?

[ ]It’s not a matter of if they’ll get around to your office. It’s when.

If you answered “no” to any of the above questions, then you’re probably in violation of the Security Rule – and this is only a small fraction of the guidelines spelled out there. The good news is that you’re not alone. In a recent report from OCR containing data from random audits of more than 200 U.S. companies of varying sizes, they discovered that only 14 percent of them were even mostly compliant under the Security Rule. The bad news is that OCR has declared its intention to audit every single entity that’s covered under HIPAA and start cracking down on them in an attempt to get them to take security more seriously. That means that it’s not a matter of if they’ll get around to your office. It’s when.

When they finally get around to you, you do not want to be found lacking the proper policies and safeguards that HIPAA demands with regard to information security. With the medical industry setting records every year for the number and severity of its data




breaches, the fines for violating the Security Rule are steep. They get even worse if you actually have a breach and OCR’s investigation determines that it was made possible because you weren’t in compliance. In cases like that, we often find that the offending company gets fined right out of existence.

The most common HIPAA violations are:

• Mishandled Records: A lot of people think that they can get around the issue of cybersecurity altogether by refusing to store their records electronically in the first place. They assume that keeping hard copies of everything makes them more secure, but they’re forgetting how easy it is misplace a paper document, forget to lock a filing cabinet, or toss a record in the trash instead of disposing of it properly. The fact is that storing records physically causes more problems than it solves, which is why most payers and referral sources are requiring their business associates to store and transmit records using software systems like Brightree. It’s only a matter of time before “going paperless” becomes an industry standard.

• Social Media: We’ve gotten so used to using social media that we snap pictures and upload them without even thinking about it. Unfortunately, those selfies your employees are taking at the office might have a patient or one of their records in the background. Once you’ve shared that photo for all the world to see, you’ve broken the law. Hackers and government workers monitor the social media pages of medical companies constantly to check for slip-ups like this, albeit for very different reasons, and the consequences can be dire for you and for your patients.

• Home Computer/Personal Phone Access: We understand that sometimes you need to take your work home with you, but this can be risky when it comes to handling patient records. Is your home computer or network secured to the same extent as the ones at your office? Is your phone locked down so that if you leave it somewhere, a passerby can’t pick it up and easily access your patient records or email? If not, then you’re

creating a channel that hackers can easily exploit to get access to information that might have stayed secure if it stayed at the office.

You can find all of the information that you could ever want about HIPAA at the Department of Health & Human Services website, which can be found at www.hhs.gov. If you’d like to ask some general questions about HIPAA and your responsibilities under it, give your Member Account Manager a call and ask to speak with Mark Higley. Mark is our VP of Regulatory Affairs at VGM Government Relations, and he’s an expert when it comes to the content of the law itself.

INSTALL A FIREWALL, AND TEST IT OFTEN

A firewall is a software program that prevents unauthorized traffic from going in or out of a computer network. Think of it like a border checkpoint that isolates your office’s network from the internet and inspects all of the data going in or out to determine if it should be allowed to pass. When it detects an unauthorized transmission on either side, it stops it from going through. The company installing the firewall can configure it to be very particular about what kinds of traffic are allowed to pass through it.

This may sound complicated, but firewalls are actually very easy to install and operate. Your IT person should be able to put one in place for you, and there are plenty of cybersecurity companies that can help you if you don’t have one. The best firewall solutions are tailored to the specific needs of your business and constantly monitored by whoever puts them in place so that intrusion attempts can be detected and repelled as they happen. You’ll want to make sure that whoever installs your firewall can provide you with risk assessment and penetration testing services and provide you with proper documentation of these tests for your auditors.

[ ]Installing a firewall can be one of the best investments that you make, as hackers are always looking for the

path of least resistance.



https://www.hhs.gov/

https://www.hhs.gov/


Installing a firewall can be one of the best investments that you make, as hackers are always looking for the path of least resistance. If they go looking for medical companies to hack and find one with a firewall and one without, they likely won’t even bother trying to breach the firewall. After all, why should a thief go to all of the trouble of trying to break the lock on one door when they can just stroll through the open one next to it and get what you want without fuss?

UPDATE YOUR HARDWARE AND SOFTWARE

Like a lot of small businesses, DMEPOS providers often have to find savings where they can. Unfortunately, this often means that they’re using “legacy” computers with old versions of operating systems that are no longer supported or updated by their manufacturers. Whether your office is using Windows or macOS, you should always be running the latest version of whatever operating system that you rely on. When Microsoft and Apple put out updates for their products, they aren’t just adding new features or fixing bugs. The majority of updates are critical security patches that keep hackers from getting into systems that run their software.

[ ]If you’re using old computer systems that can’t run Windows 10 or OS X,

then it’s time to replace them.

If you’re using old computer systems that can’t run Windows 10 or OS X, then it’s time to replace them. The cost of upgrading your hardware (the physical computer equipment) and your software (the programs that run on that equipment) has never been lower. You can buy a pretty decent PC for around $400 anymore, and software licenses can be bundled together for business users so that they become far cheaper than going to the store and picking up several copies off the shelf.

If you aren’t sure what you should be buying, VGM Technologies can help. Not only can we provide a hardware/software consultation at no cost, but we can

also connect members with the same vendor partner that VGM uses to meet its ever-increasing technology needs.

BACK UP OFTEN, AND STORE DATA OFFSITE

If your office burns down tomorrow, what will happen to all of your computer files? Can you get them back so that you can keep doing business? One of the most important steps that you can take from a business continuity and disaster recovery standpoint is making regular backups of all of your important data and storing those backups at least 250 miles away from your office. It doesn’t do any good to store your backups at the office, because if something happens to your building and the computers inside, they’ll be lost right along with them.

Some of you might remember the ransomware attack that hit the city of Atlanta, Georgia, last summer. The entire city government was brought low and sent back in time to the 1950s for three straight months. City workers at every level were forced to do everything on paper while their IT department worked desperately to cleanse their computer systems and restore their backups. They avoided paying the ransom, but in the end they probably should have. They lost more than the $50,000 that the hackers were demanding on the first day, and their backups weren’t nearly as current or robust as they should have been. The whole mess could have been over in a day if they’d had better backup procedures in place.

Our recommendation is to use a cloud-based storage solution rather than a physical one. Hard drives wear out, they break down, and they’re easily lost or destroyed. The best solution that you can get is Microsoft Azure, which is a commercial-level backup and recovery solution that scales to suit any sized business. Azure can take “snapshots” of the computers on your network at regular intervals. I highly recommend that you do it daily. These snapshots can be restored fairly easily by just about any IT person, and you can keep an archive of them that allows you to restore to any day in the past week, month, or year depending on how much storage space you decide to buy.




[ ]Once you have a backup system in place, don’t just assume that it’s

working. Make sure you test it!

Once you have a backup system in place, don’t just assume that it’s working. Make sure you test it! It’s a good idea to make your IT people prove to you that they can restore a backup from any given day on demand. Have them show you that they can do this at least once a month, and have them show your employees how to do it so that you don’t have to wait for them to be available in an emergency. Not only will this keep you safe from malware, but it will give you the peace of mind that comes with knowing that your precious data is always recoverable whenever you need it.

CONSIDER YOUR BYOD APPROACH

BYOD stands for “Bring Your Own Device.” There are a number of potential risks involved with allowing employees and guests to connect their personal phones or computers to your company’s network, and you’ll want to think about whether or not you want to allow them to do so as you consider your security measures. Depending on the size of your business and the amount of PHI that you store and transmit, allowing users to use their own devices can make a lot of sense. Just make sure that they’re taking proper precautions!

People lose their cell phones all of the time, but this all-too-common mishap can spell big trouble for your business under the right set of circumstances. What if one of your employees left their phone at a bar one night and didn’t have any sort of password protection on it? That would mean that anyone who found it would instantly have access to their email and any other company resources installed on the phone. If that includes PHI, you’d be required to report the lost phone and its lack of password protection to OCR and probably end up paying a five to six figure fine for your trouble. Finding an unlocked phone or laptop with access to medical records would be like an early Christmas gift to any hacker.

VGM doesn’t allow computers that aren’t owned by the company to be connected to our corporate network at all. Instead, we offer a guest network that provides an internet connection without access to any company resources or files for anyone bringing a computer from home. We allow employees to use their own cell phones on our guest network, but they have to read and sign our BYOD policy before we’ll set it up for them. We also require that they let us disconnect their phone from all company resources and wipe it clean of any sensitive data if they ever leave our employ.

Having employees use their own devices can be cost- effective and efficient depending on your situation. I usually tell people to consider disallowing BYOD and simply provide a computer and a phone to all of their employees who need them, as this is the easiest way to make sure that you aren’t creating vulnerabilities that will cause problems for you later. If you need to let people bring their own stuff, then you need to make sure that you have a policy that makes sense for your business and that you make sure to enforce it.

DON’T BUY A CHEAP WEBSITE

Web pages don’t just magically appear on your web browser when you type a URL into the search bar. Every single one of them is stored on a computer somewhere, and hackers can gain access to those computers just as easily as any other if they aren’t properly protected. There are plenty of business owners who make the mistake of hiring a freelance web designer or a family member to create and manage their website without asking any questions about where and how they’ll be hosting it. If you’re taking advantage of popular software tools that allow patients to access their information directly through your website, then you’ve very possibly just given your freelancer access to all of your PHI along with anyone else who can access their server.

It’s not just data security and HIPAA compliance that you need to be worried about here. One of the more popular pastimes for hackers is to try to gain access to web servers so that they can vandalize corporate websites or reprogram them to install malware on every computer that visits them. The last thing you want for your business is for people to head to the web address




that you’ve been trying so hard to promote only to find pornography, vulgarity, hate speech, or whatever else a hacker thinks might be funny to upload. It would be just as unfortunate if they ended up with a computer virus just for visiting your site.

Companies who fall victim to this kind of vandalism often find it impossible to regain the trust of their customers even after they correct the problem. Your patients will justifiably be asking themselves how safe you’re keeping their data if you can’t even keep hackers away from your web page.

When it comes to web hosting, make sure that your web host can provide you with:

• High Availability and Disaster Recovery: You don’t want potential customers seeing an error message when they go to your website telling them that it’s unavailable. Go with a host that can guarantee you as close to 100 percent “uptime” as you can get, and ask them how often they perform backups and how those backups are stored. You probably put a lot of money and effort into designing your site, so you don’t want to lose it if your host’s building burns down.

• Best Practice Certification: You want to get your web hosting from a company that’s willingly complying with industry best practices, including security. SSAE 16/18 or SOC 2 certifications mean that a company voluntarily passes regular and rigorous audits that include examinations of their security measures and policies. It’s also a good idea to ask a hosting company if they can confidently state that their hosting is HIPAA compliant. Most hosting companies worth their salt will know what that means and be able to tell you up front.

• SSL, Firewalls, and DDoS Protection: Secure Sockets Layer (SSL) is an encryption method that ensures a secure connection between your website and the user, which prevents eavesdropping and data theft as the information travels from your host’s server to their browser. Distributed Denial of Service (DDoS) attacks are attempts made by hackers to slow down your website to the point where it’s unusable by bombarding it with overwhelming amounts of web traffic. A firewall is a combined hardware and software solution that prevents unauthorized traffic to your website, which includes hacking attempts and DDoS attacks.

• Network Monitoring: Someone should be watching your web server 24 hours a day for signs of intrusion and be ready to deploy countermeasures immediately to kick a hacker off of the server that your website is stored on.

• Antivirus/Malware Protection: Someone should also be watching your web server for any attempts to upload malware to it and be ready to remove it immediately when necessary.



START SMALL, BUT START SOMEWHERE

Hopefully, this playbook has made you feel a bit better about protecting your business. I’ve done my best to de-mystify the concepts that surround hacking and give you some solid first steps to take on the road to data security. If you’re still feeling overwhelmed, please reach out to us. If you’ll give us a call and take some time to discuss the needs of your particular business, you’ll probably find that meeting your HIPAA requirements and keeping your business safe is far easier and less expensive than you think.

Look at it this way – you have to secure your data to continue operating your company, but you don’t have to do everything that I’ve recommended here today. The important thing is to take the first step, get some good advice about practical and cost-effective solutions for you and your business, and start implementing them one at a time. Don’t be embarrassed to admit that you don’t know anything about data security. There are plenty of experts here at VGM who can help you with that. If you have been hacked, don’t be afraid to admit that either. Instead, be proactive about making sure that it never happens to you or anyone else ever again.

Know the risks and raise your shields. If every DMEPOS company in the country got serious about security and took action, we’d see a lot fewer data breaches and a whole lot less scrutiny.

We like to think that our industry has one of the greatest communities in existence. Let’s work together to keep that community safe. There are fewer providers now than ever before as consolidation and market pressure continue to take their toll. Let’s not let cybercriminals make things even worse for us. By working together and protecting one another in this way, we’ll also be helping to protect our patients and the American taxpayer.

The digital landscape can be dangerous, and navigating it isn’t always easy. When the predators show their teeth, protect yourselves and protect each other. When you aren’t sure how, let us help you. That’s what VGM has always been here for.

Take care, and be safe.


ABOUT THE AUTHOR

Jeremy Kauten is the chief information officer and senior vice president of IT at VGM Group, Inc. He’s spent his entire career in the cyber-world, and currently focuses on protecting computers, networks, programs, and data from unauthorized access, change, or destruction while coordinating the optimization and use of technology throughout the 28 business units of VGM. Jeremy’s involvement at VGM started in 1997, when he committed himself to growing VGM Forbin and positioning the organization as a leader in web development and online security.

Jeremy is a regular contributor to the trade press, and is a frequent technology speaker at industry events. He earned a Bachelor’s degree in marketing and business management from Upper Iowa University, with additional credits from the computer information systems program from the University of Northern Iowa. He also holds an AAS in law enforcement and an MBA at the University of Iowa Executive Master of Business Administration Program. In 2018, Jeremy attended the annual Black Hat Security Conference and completed their Advanced Practical Social Engineering Course, which provides insight into the psychological tactics that hackers use to manipulate their targets.

Connect with Jeremy on LinkedIn or contact him at [email protected].



https://www.linkedin.com/in/jeremy-kauten-5a11982/


HOW IS YOUR COMPANY DOING?This questionnaire provides a nice sampling of the sorts of questions that your company will be asked as part of a security and compliance audit. An actual audit would be far more detailed and nuanced, but this is a decent high-level example. I’d encourage you to see how much of it you’re able to fill out. If you find that you can’t say “yes” to very many of these items, then your security efforts could probably use some attention.

REGULATORY COMPLIANCE1. Are you a Health Insurance Portability and

Accountability Act (HIPAA) covered entity?2. Would you be considered a business associate

under HIPAA? What is your specific role or function in this capacity?

3. What other laws and regulations are you required to comply with (e.g., PCI DSS, GLBA)?

4. Are you audited by external parties? If so, identify the organization and the type of audit being conducted?

5. Describe your risk management program.6. How often are risk assessments performed? Will

you provide a summary of results of your most recent risk assessment to our organization?

7. Who performed your last risk assessment?8. Have all high- and critical-rated deficiencies from the

risk assessment been remediated, or do you have a Plan Of Action and Milestone (POAM) in place?

9. Has there been a breach of your company’s network resources within the last 12 months? If so, could you provide details of the violation and the actions taken to mitigate the threat?

10. Has there been a breach of any of your third party vendors network resources? If so, what actions did you take to ensure that proper mitigation efforts were implemented?

11. Do you require third party vendors to contractually indemnify for data breaches?

12. How do you validate the information contained within the risk assessments?

13. Does your organization conduct internal/external network penetration tests and/or vulnerability scans? If so, how often are they performed?

14. Will you make available documentation verifying the completion of the penetration testing and/or vulnerability scans?

INFORMATION SECURITY POLICY AND TRAINING1. Does your organization have an active information

security program? If so, how is it managed and implemented throughout your organization?

2. Does the program cover the organization’s responsibilities to comply with laws and regulations applicable to your organization?

3. Does your organization have an employee information security training program? If so, how often is training required?

4. Does the information security training program cover the procurement, dissemination, and administration of PHI information?

5. Does the program require additional training and guidance for personnel with elevated privileges levels and access requirements?

6. Does the program provide training regarding the roles and responsibilities of both privilege and standard network users in securing all data formats, including PHI?

7. How are employees required to show awareness and acceptance of your organizational information security policy?

Sample Security/Compliance Questionnaire


Sample Security/Compliance Questionnaire continued

PROTECTION OF PRIVACY DATA AND SECONDARY USES1. Does your organization have a privacy policy?2. How are employees required to show awareness

and acceptance of your organizational privacy policy?

3. Do you collect data about our organization’s activity and our organization’s employee activity on your system?

4. If there is a contractual agreement in place to share this information, and will this information be shared with outside organizations? If so, with whom and for what purpose?

5. What safeguards are in place to secure Protected Health Information (“PHI”) as the term is defined by HIPAA?

6. In what state and/or country will our organization’s data be stored?

7. What controls are in place to protect resources and information with third party vendors?

BUSINESS OPERATIONS AND CONTINUITY1. Does your organization have a business continuity

and disaster recovery plan?2. How often do you test your business continuity

and disaster recover plans?3. How do you ensure our organization can continue

doing business at all times, even when a full-site failure occurs where our organization’s data or services are located?

4. What are your organizational recovery time objectives (RTO) for the restoration of services after a disruption? What are your organizational recovery point objectives (RPO) after a disruption of service?

5. Does your organization have processes and procedures in place to prevent our organization’s data from being lost or destroyed? If so, provide details on how the information will be protected?

6. How often are backups performed?7. How often are backups tested?8. In the event your organization goes out of business

or our organization terminates the contract, who owns our organization’s data?

9. What happens to our organization’s data if you are purchased by another company? Will our organization receive advanced notification?

10. Will we receive advanced notification of a third party or government agency conducting audits that could potentially impact our services?

11. Has your company acquired cybersecurity insurance? If so, what are the policy limits?

12. Do you require third party vendors to have cybersecurity insurance? If so, what are the policy limits you require?

USER IDENTITY MANAGEMENT AND CONTROLLING ACCESS1. Does your company have a network access control

policy? If so, how is this policy administered on your network?

2. Who is responsible for granting/revoking access to the services that will be provided to our organization?

3. Are background screenings performed prior to granting access to sensitive data?

4. Are processes in place to readily identify employees with access to PHI?

5. What type of access controls will be put into place to limit access to our organization’s data?

6. How do your organization’s associates authenticate to our organization’s data (e.g., username and password)?

7. Is there a lockout period after an unsuccessful attempt on a protected (via password) systems? What is the number of attempts and the duration of the lockout?

8. Do all network services travel through your organization’s firewall? Are controls in place to restrict inbound and outbound traffic necessary for communication?

9. What controls are in place that restrict network/firewall access to only authorized users?

10. Is two-factor authentication required for remote access to the network by employees, administrators and third party personnel? Describe the process.



11. What other, if any, security controls are in place to secure remote connections?

12. What procedures does your organization have in place to terminate access to our organizational data when access is no longer required?

13. Is two-factor authentication deployed throughout your internal network environment?

14. Is authentication required prior to gaining access to databases containing sensitive information?

15. What controls are in place to limit sensitive information in the databases to only what is required?

SERVICE AND DATA INTEGRATION1. Does your organization have a policy in place

that indicates your minimally acceptable data communications security standards?

2. What security methods will be used to protect our organization’s data as it travels between both organizational networks?

3. Are sensitive systems provided with isolated network environments? What technologies and/or policies are in place to prevent network communications from unapproved networks?

4. Are there processes in place to prevent unauthorized devices from physically connecting to the internal network? If so, describe them.

5. Is there a process in place to ensure that only authorized applications are being utilized on your company’s network?

6. What are your protective methods to secure organizational email traffic?

7. What are your processes to encrypt organizational data that transverses across the public internet?

8. Is data at rest encrypted?

MULTITENANCY1. Will our organization’s data and services operate

as part of a larger shared system? If so, will this system have access to shared data?

2. Please identify and describe the type of security controls that are in place to separate and protect our organization’s data from other tenants in a shared environment, if applicable.

3. What security requirements do you impose on third party vendors to safeguard communications?

INCIDENT RESPONSE AND FORENSICS ANALYSIS 1. Does your organization have an incident response

plan?2. How do you detect and report a compromise to

your organization’s data or services? How soon would our organization be made aware of a verified compromise?

3. In the event of an incident that affects our data, how will we be notified? What is the timeframe that we can expect to be notified?

4. In the event that an incident occurs that involves local or federal law enforcement agencies, will we be provided copies of all reports?

INFRASTRUCTURE AND APPLICATION SECURITY1. Who owns and operates your data centers?2. What physical and environmental security

measures are in place in your datacenters?3. If conducted jointly, what parts of your

infrastructure do you own and operate, and what parts do you obtain from a service provider?

4. How is your IT security managed? Internally or through an external organization?

5. Will our organization’s data be provided to cloud service providers you utilize?


6. Do you follow a formal security-hardening process for network equipment, operating systems, and applications?

7. How does your organization conduct vulnerability management?

8. Does your organization have a patch management policy?

9. If applicable, does your company have a software development life cycle policy? If so, describe how it is managed and implemented within your company.

10. If applicable, does your company utilize methods to ensure the security of developed applications? If so, describe the process.

11. If utilized, please identify the security tools/controls in place to monitor data flowing in and out of your network.

12. Are triggers in place to provide alerts for suspected malware and suspicious activity?

13. What type of anti-virus software is applied? How often are updates applied?

14. Do you use external penetration testing for assessing infrastructure and application security?

15. Please describe the password requirements for access to the system/services for both normal and privileged users.

16. What are your password change intervals for user accounts? Administrative accounts? Service accounts?

17. Please provide information for the following, in relation to services provided for our organization:• System downtime for the past 12 months

(excluding standard maintenance windows)• Security breaches involving PHI or PII data• Security breaches involving non-PHI / PII data • The number of occurrences for loss/stolen

portable media

PHYSICAL SECURITY1. Does your organization have physical security

controls in place to prevent the theft and unauthorized access to network data, computer hardware, and portable devices?

2. What authentication levels are required to gain physical access to server and network hardware? (Card access, fingerprints, iris scan, key code, keys)?

3. Does your organization encrypt all portable devices?

4. What actions are taken in the event a device (computer, laptop, tablet, or phone) is lost or stolen?

5. What security controls are in place to protect data being physically transported?

6. What security controls does your organization have in place to minimize and monitor building access?

7. What controls are in place to identify employees when on premises?

8. What controls are in place to manage visitor access?

9. Does your organization have 24/7 access? How is after-hours access controlled/monitored?



CLOUD SERVICES1. Will cloud services be utilized to host, manage,

and/or store our organization’s data?2. If cloud services are used, what type of service

model will be utilized? Platform as a service (PaaS), Software as a Service (SaaS), and/or Infrastructure as a Service (IaaS)?

3. If cloud services are used, what type of deployment model will be utilized? Public cloud, private cloud, community cloud or hybrid cloud?

4. If off-site, identify the cloud service provider and the location of the facility?

5. Is the cloud service provider compliant with all laws and regulations applicable to data your organization stores with them?

6. Does your organization have a BAA with the cloud service provider?

7. Does your organization have a service level agreement with the cloud service provider? If so, what is the expected uptime for the service?

8. What is the retention policy for the cloud service provider? How long will data backups be retained?

9. In the event your organization goes out of business or our organization terminates the contract, who owns our organization’s data?

10. Is the cloud service fully operated within the continental United States?

11. Is data stored, processed, transmitted, and/or accessed within the cloud service encrypted?

12. What type of access controls will be put into place to limit access to our organizations data while stored in the cloud?

13. What authentication controls are in place to manage access to our organization’s data (e.g., username and password)?

14. Does your organization maintain audit logs on data stored within the cloud service? If so, what information is being audited (e.g., User ID, data accessed, modifications)?

MOBILE/BYOD1. Does your company support the use of mobile

devices to access the business network? If so, are the devices company-owned and managed?

2. Does your company support the use of Bring Your Own Devices (BYOD)? If so, are there policies and procedures in place to manage the use of BYOD?

3. Are mobile/BYOD users provided documented training on their roles and responsibilities in regard to the security of these devices and the information they may contain?

4. Does your company conduct security evaluations of all mobile/BYOD items prior to being granted access?

5. If applicable, how is BYOD equipment connected to the business network (hardwired, WiFi)? What type of access controls are in place to ensure proper authentication of mobile/BYOD users?

6. Does your company provide mobile device management software of mobile/BYOD assets that are granted access to your business network?

7. If applicable, does your company allow for the use of MDM software to remote wipe sensitive data if the device becomes compromised, lost, stolen, or the users rights are revoked?

8. Are mobile/BYOD users restricted from modifying security controls applied to their device?

9. If using Wi-Fi, what security controls are in place to ensure proper access and authentication for mobile/BYOD users?

10. If using a hardwired network connection, do mobile/BYOD items have access to confidential information, including our organization’s data? Are BYOD users allowed to send, receive, and store confidential data on their devices?

11. Describe the controls that are in place to secure this information and protect it from unauthorized access. Do you perform security tests on your WiFi network? If so, how often are tests performed?


www.vgm.com/vgmtechnologies

Documents

CYBERSECURITY: GET SERIOUS, OR IT’S GAME OVERplaybook.vgm.com/.../document-library/fe620fedaf4a1f77640a97d56… · Cybersecurity: Get Serious, or It’s Game Over By Jeremy Kauten,